Discussion:
saner defaults for config/firewall
(too old to reply)
Vincent Frentzel
2014-02-20 23:25:23 UTC
Permalink
Hi everyone,

After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.

The changes are introduced are as follow:

- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.

This could be a nice default config.

Feedback welcome.
Dave Taht
2014-02-23 17:21:40 UTC
Permalink
Post by Vincent Frentzel
Hi everyone,
After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.
- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
I note that even dns is a problem in terms of leaking information about
your network, so is mdns.

the "g+" convention can simplify access to the internet in the rules too.

There are also potential problems in enabling the polipo proxy.

Note that the mesh networking interfaces are also "g", and there is
something of a conflict between allowing the mesh network and guest
access.

I used to solve this somewhat with the babel authentication extensions.

http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html

at the moment that code had landed in the quagga branch of babel,
not babel itself.
Post by Vincent Frentzel
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.
This could be a nice default config.
Feedback welcome.
After getting the last release out I took a break from email, and didn't
get to this.

There are certainly conflicting desires for how to do firewalling. Historically
we run fairly open by default due to cerowrt's origin as a research project.

In the case where we want to open the network somewhat to house guests, being
able to have reasonably secure (ssh and printing) protocols open to them
is a help.

In the case where I want to share my network with the neighborhood,
locking things down as per the above makes more sense. I'd argue for even
stronger measures, actually, something that an org like openwireless.org
could recomend so that people can feel safe in sharing their wifi again.

I think we should put up alternet configs like this somewhere on the wiki,
or in a git tree...

I have a few other desirable configs on the list.

-1) gui support for the + syntax would be good.

0) I really, really, really want bcp38 support, using ipset. I wouldn't
mind a complete switch to ipset for a variety of things, but some
benchmarking along the way would be good to compare the existing schemes

one problem I've run into in turning on bcp38 by default is dealing
with double nat on the dhcp'd interfaces.

1) a more "normal", bridged implementation more like people are used to.

2) vlan support (I've never managed to make vlans work with babel, btw)

3) ?
Post by Vincent Frentzel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
J. Daniel Ashton
2014-02-23 19:10:09 UTC
Permalink
While you're looking at things that ought to be in the default
configuration (or in "a" default configuration, perhaps available on the
wiki), there are two use-cases that I would like to see work better out
of the box:

1. mDNS sharing across non-guest segments: my wife on Wi-Fi, I on
Ethernet, should be able to see each other's iTunes libraries and
the mDNS-advertised printer.
2. Google's new Chromecast device useable from all non-guest segments:
it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on
Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop
should be able to see the Chromecast and control it.

I really like the CeroWrt approach to network segmentation: I felt like
I was learning best practices as I read up on what you chose to do. But
the above use cases seem to be problematic with this approach.
Post by Dave Taht
Post by Vincent Frentzel
Hi everyone,
After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.
- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
I note that even dns is a problem in terms of leaking information about
your network, so is mdns.
the "g+" convention can simplify access to the internet in the rules too.
There are also potential problems in enabling the polipo proxy.
Note that the mesh networking interfaces are also "g", and there is
something of a conflict between allowing the mesh network and guest
access.
I used to solve this somewhat with the babel authentication extensions.
http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html
at the moment that code had landed in the quagga branch of babel,
not babel itself.
Post by Vincent Frentzel
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.
This could be a nice default config.
Feedback welcome.
After getting the last release out I took a break from email, and didn't
get to this.
There are certainly conflicting desires for how to do firewalling. Historically
we run fairly open by default due to cerowrt's origin as a research project.
In the case where we want to open the network somewhat to house guests, being
able to have reasonably secure (ssh and printing) protocols open to them
is a help.
In the case where I want to share my network with the neighborhood,
locking things down as per the above makes more sense. I'd argue for even
stronger measures, actually, something that an org like openwireless.org
could recomend so that people can feel safe in sharing their wifi again.
I think we should put up alternet configs like this somewhere on the wiki,
or in a git tree...
I have a few other desirable configs on the list.
-1) gui support for the + syntax would be good.
0) I really, really, really want bcp38 support, using ipset. I wouldn't
mind a complete switch to ipset for a variety of things, but some
benchmarking along the way would be good to compare the existing schemes
one problem I've run into in turning on bcp38 by default is dealing
with double nat on the dhcp'd interfaces.
1) a more "normal", bridged implementation more like people are used to.
2) vlan support (I've never managed to make vlans work with babel, btw)
3) ?
Post by Vincent Frentzel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Daniel Ashton PGP key available http://Daniel.AshtonFam.org
mailto:***@AshtonFam.org http://ChamberMusicWeekend.org
AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org
Vincent Frentzel
2014-02-24 08:07:41 UTC
Permalink
1) a more "normal", bridged implementation more like people are used to.


Regarding this scenario. I tried to revert cerowrt to a bridged setup and
ended up with a completely broken system.

I bridged the interface as follow, eth0.1 + sw10 + sw00. Connecting over
wifi worked fine except that cabled host could not be pinged. Connecting
over ethernet did nt work at all (no DHCP received, cannot ping router with
manually assigned IP).

Was something related to bridges removed in cerowrt?

The config I used works fine on Barrier Breaker.
Sebastian Moeller
2014-02-24 09:29:36 UTC
Permalink
Hi Vincent,
Post by Dave Taht
1) a more "normal", bridged implementation more like people are used to.
Regarding this scenario. I tried to revert cerowrt to a bridged setup and ended up with a completely broken system.
I bridged the interface as follow, eth0.1 + sw10 + sw00. Connecting over wifi worked fine except that cabled host could not be pinged. Connecting over ethernet did nt work at all (no DHCP received, cannot ping router with manually assigned IP).
I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list)
Was something related to bridges removed in cerowrt?
The config I used works fine on Barrier Breaker.
best regards
Sebastian
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Vincent Frentzel
2014-02-24 10:05:07 UTC
Permalink
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that be se00
(secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter
"ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post
both of these (so the result of calling ifconfig on a terminal on the
router and the content of /etc/config/network ;), I am sure you know what I
meant, just dying to be verbose for the sake of people stumbling over the
archive of the mailing list)
Hi Sebastian,

Understood. I will come back to you with the ifconfig.

For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1
was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled
(eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan
and used a type "bridge" on the network section (I renamed this section
se99 instead of se00).

I then added se99 it to the "lan" zone of the firewall. In the wireless
config I specified network as "se99" instead of sw10 and sw00. I confirmed
that the setup was correct in the web interface where eth0.1 sw00 and sw10
appeared under the new bridged interface ( there was the nice icon with the
iface in brackets).

I went on to modify the dhcp config of se00 and changed se00 occurences for
se99 and commented out entries for sw10/sw00. --> this would give me dhcp
running on my new bridge.

After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with
interface se99. (I was expecting to see br-se99 but maybe that file is
alias aware, could be wrong here).

After a network restart I lost connectivity on cable. Wireless was working.

I played a tad more and eventually lost wifi as well and had to reflash the
router via tftp/factory image (maybe there is a reset trick you could give
me to avoid this step).

Are you running cerowrt in bridge mode? If yes could you share your
network/firewall/dhcp config? Is there another file I should have edited
and missed?

Cheers,
V
Fred Stratton
2014-02-24 10:18:52 UTC
Permalink
I suggest you read the cero wiki. This details the original design
decisions. On the router,

ssh in, and use

mtd -r erase fs_data

to recover to defaults. See

http://wiki.openwrt.org/doc/techref/mtd

If you ever have used BB daily builds, you can type this in your sleep.
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that
be se00 (secure ethernet) instead of eth0.1? At least on
3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions
eth0.1 at all. Could you post both of these (so the result of
calling ifconfig on a terminal on the router and the content of
/etc/config/network ;), I am sure you know what I meant, just
dying to be verbose for the sake of people stumbling over the
archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1. The reason I stuck with
eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with
vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just
reenabled the vlan and used a type "bridge" on the network section (I
renamed this section se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the
wireless config I specified network as "se99" instead of sw10 and
sw00. I confirmed that the setup was correct in the web interface
where eth0.1 sw00 and sw10 appeared under the new bridged interface (
there was the nice icon with the iface in brackets).
I went on to modify the dhcp config of se00 and changed se00
occurences for se99 and commented out entries for sw10/sw00. --> this
would give me dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with
interface se99. (I was expecting to see br-se99 but maybe that file is
alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
I played a tad more and eventually lost wifi as well and had to
reflash the router via tftp/factory image (maybe there is a reset
trick you could give me to avoid this step).
Are you running cerowrt in bridge mode? If yes could you share your
network/firewall/dhcp config? Is there another file I should have
edited and missed?
Cheers,
V
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Fred Stratton
2014-02-24 11:03:31 UTC
Permalink
So much for memory

mtd -r erase rootfs_data

is the correct invocation.
Post by Fred Stratton
I suggest you read the cero wiki. This details the original design
decisions. On the router,
ssh in, and use
mtd -r erase fs_data
to recover to defaults. See
http://wiki.openwrt.org/doc/techref/mtd
If you ever have used BB daily builds, you can type this in your sleep.
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that
be se00 (secure ethernet) instead of eth0.1? At least on
3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions
eth0.1 at all. Could you post both of these (so the result of
calling ifconfig on a terminal on the router and the content of
/etc/config/network ;), I am sure you know what I meant, just
dying to be verbose for the sake of people stumbling over the
archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1. The reason I stuck with
eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with
vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just
reenabled the vlan and used a type "bridge" on the network section (I
renamed this section se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the
wireless config I specified network as "se99" instead of sw10 and
sw00. I confirmed that the setup was correct in the web interface
where eth0.1 sw00 and sw10 appeared under the new bridged interface (
there was the nice icon with the iface in brackets).
I went on to modify the dhcp config of se00 and changed se00
occurences for se99 and commented out entries for sw10/sw00. --> this
would give me dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with
interface se99. (I was expecting to see br-se99 but maybe that file
is alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
I played a tad more and eventually lost wifi as well and had to
reflash the router via tftp/factory image (maybe there is a reset
trick you could give me to avoid this step).
Are you running cerowrt in bridge mode? If yes could you share your
network/firewall/dhcp config? Is there another file I should have
edited and missed?
Cheers,
V
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Vincent Frentzel
2014-02-24 11:35:23 UTC
Permalink
I am familiar with that command :) Was wondering if there was something I
could do when I cannot ssh into the router. As mentioned above, when trying
to configure the bridge I hit a point where I could nt get in the router
anymore.

I understand the design decisions of the project and far from me the idea
of challenging them :) I was simply trying to provide an alternative config
with a standard bridge ethernet + wifi for reference. I believe that in the
case mentioned by Sebastian (multiple, mobile, devices accessing resources
across segments) bridging is a simple way forward.

In my particular case, correct route propagation is a problem on IPV6 (im
not running babel) and I have only 2 wifi clients... Bridging has never
shown any perf issues in the past so I 'd like to switch back to this
simpler setup. I can picture that this might not fit the bill for more
intensive use cases.
Post by Fred Stratton
So much for memory
mtd -r erase rootfs_data
is the correct invocation.
I suggest you read the cero wiki. This details the original design
decisions. On the router,
ssh in, and use
mtd -r erase fs_data
to recover to defaults. See
http://wiki.openwrt.org/doc/techref/mtd
If you ever have used BB daily builds, you can type this in your sleep.
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that be se00
(secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter
"ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post
both of these (so the result of calling ifconfig on a terminal on the
router and the content of /etc/config/network ;), I am sure you know what I
meant, just dying to be verbose for the sake of people stumbling over the
archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1
was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled
(eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan
and used a type "bridge" on the network section (I renamed this section
se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the wireless
config I specified network as "se99" instead of sw10 and sw00. I confirmed
that the setup was correct in the web interface where eth0.1 sw00 and sw10
appeared under the new bridged interface ( there was the nice icon with the
iface in brackets).
I went on to modify the dhcp config of se00 and changed se00 occurences
for se99 and commented out entries for sw10/sw00. --> this would give me
dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with
interface se99. (I was expecting to see br-se99 but maybe that file is
alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
I played a tad more and eventually lost wifi as well and had to reflash
the router via tftp/factory image (maybe there is a reset trick you could
give me to avoid this step).
Are you running cerowrt in bridge mode? If yes could you share your
network/firewall/dhcp config? Is there another file I should have edited
and missed?
Cheers,
V
_______________________________________________
_______________________________________________
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Fred Stratton
2014-02-24 12:45:55 UTC
Permalink
There are no button presses to bring the box back, as you can with some
TP-Link routers.

You could use a serial lead if you opened the case. No one has mentioned
trying this with cero on the list.

So far, all bridging attempts with cero have been unproductive. However
sound the theoretical approach, they have not worked in practice.

As you would expect, subnetting a /48 works. DT has got subnetting
working with a /60 in the last 2 weeks.

That is the current state of play.

6relayd on OpenWRT is very difficult to configure. dnsmasq tends to be
simpler.

Perhaps Kelley has something to say about configuration with, say, a /64
provided by free.fr

I know of only one ISP which provides a /48 to customers.
Post by Vincent Frentzel
I am familiar with that command :) Was wondering if there was
something I could do when I cannot ssh into the router. As mentioned
above, when trying to configure the bridge I hit a point where I could
nt get in the router anymore.
I understand the design decisions of the project and far from me the
idea of challenging them :) I was simply trying to provide an
alternative config with a standard bridge ethernet + wifi for
reference. I believe that in the case mentioned by Sebastian
(multiple, mobile, devices accessing resources across segments)
bridging is a simple way forward.
In my particular case, correct route propagation is a problem on IPV6
(im not running babel) and I have only 2 wifi clients... Bridging has
never shown any perf issues in the past so I 'd like to switch back to
this simpler setup. I can picture that this might not fit the bill for
more intensive use cases.
So much for memory
mtd -r erase rootfs_data
is the correct invocation.
Post by Fred Stratton
I suggest you read the cero wiki. This details the original
design decisions. On the router,
ssh in, and use
mtd -r erase fs_data
to recover to defaults. See
http://wiki.openwrt.org/doc/techref/mtd
If you ever have used BB daily builds, you can type this in your sleep.
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't
that be se00 (secure ethernet) instead of eth0.1? At least
on 3.10.28-14 <tel:3.10.28-14> neuter "ifconfig" nor
/etc/config/network mentions eth0.1 at all. Could you post
both of these (so the result of calling ifconfig on a
terminal on the router and the content of
/etc/config/network ;), I am sure you know what I meant,
just dying to be verbose for the sake of people stumbling
over the archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1. The reason I stuck
with eth0.1 was that barrier breaker usually uses eth0.1 for
br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). So
in cero I just reenabled the vlan and used a type "bridge" on
the network section (I renamed this section se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the
wireless config I specified network as "se99" instead of sw10
and sw00. I confirmed that the setup was correct in the web
interface where eth0.1 sw00 and sw10 appeared under the new
bridged interface ( there was the nice icon with the iface in
brackets).
I went on to modify the dhcp config of se00 and changed se00
occurences for se99 and commented out entries for sw10/sw00. -->
this would give me dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line
with interface se99. (I was expecting to see br-se99 but maybe
that file is alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
I played a tad more and eventually lost wifi as well and had to
reflash the router via tftp/factory image (maybe there is a
reset trick you could give me to avoid this step).
Are you running cerowrt in bridge mode? If yes could you share
your network/firewall/dhcp config? Is there another file I
should have edited and missed?
Cheers,
V
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Robert Bradley
2014-02-24 12:54:33 UTC
Permalink
Post by Fred Stratton
There are no button presses to bring the box back, as you can with
some TP-Link routers.
You could use a serial lead if you opened the case. No one has
mentioned trying this with cero on the list.
In my experience, reflashing via TFTP tends to work well in terms of
resetting the configuration.

As an aside, I've noticed that occasionally I get an "enable_vlan4k"
sneaking into /etc/config/network if I've looked at the vlan page. If
that happens, the wired LAN breaks. Perhaps it's worth checking that
first via the wireless link?
--
Robert Bradley
Vincent Frentzel
2014-02-24 13:05:47 UTC
Permalink
Thanks Robert.

I indeed had enable_vlan4k in the network. Will definitely try to remove
this. When you enable the vlan do you use the eth0.1, eth0.2, etc.. stanza
for the interface or se00? Is se00 an alias for eth0.1?


On Mon, Feb 24, 2014 at 1:54 PM, Robert Bradley
Post by Fred Stratton
There are no button presses to bring the box back, as you can with some
TP-Link routers.
You could use a serial lead if you opened the case. No one has mentioned
trying this with cero on the list.
In my experience, reflashing via TFTP tends to work well in terms of
resetting the configuration.
As an aside, I've noticed that occasionally I get an "enable_vlan4k"
sneaking into /etc/config/network if I've looked at the vlan page. If that
happens, the wired LAN breaks. Perhaps it's worth checking that first via
the wireless link?
--
Robert Bradley
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Robert Bradley
2014-02-24 13:48:19 UTC
Permalink
Post by Vincent Frentzel
Thanks Robert.
I indeed had enable_vlan4k in the network. Will definitely try to
remove this. When you enable the vlan do you use the eth0.1, eth0.2,
etc.. stanza for the interface or se00? Is se00 an alias for eth0.1?
I'm open to corrections, but from what I have seen here the se00
interface in Luci maps to a physical se00 interface by default. That
interface receives vlan tagged packets from the embedded switch which
then appear untagged on eth0.x. With VLANs enabled you'd remap the Luci
"se00" from the raw se00 Ethernet interface to eth0.1 via the "Physical
Settings" tab for vlan 1 and create new interfaces in Luci for your new
vlans.
--
Robert Bradley
Sebastian Moeller
2014-02-24 13:35:48 UTC
Permalink
Hi Vincent,
I am familiar with that command :) Was wondering if there was something I could do when I cannot ssh into the router. As mentioned above, when trying to configure the bridge I hit a point where I could nt get in the router anymore.
I understand the design decisions of the project and far from me the idea of challenging them :) I was simply trying to provide an alternative config with a standard bridge ethernet + wifi for reference. I believe that in the case mentioned by Sebastian (multiple, mobile, devices accessing resources across segments) bridging is a simple way forward.
I agree it would be quite valuable to have a nice simple how to switch to bridged mode for cerowrt (just as openwrt has one for switch to routed mode)
In my particular case, correct route propagation is a problem on IPV6 (im not running babel) and I have only 2 wifi clients…
I have similar issues, as secondary router cerowrt gets a working /64 address for itself and ping6 and friend work, and all downstream interfaces get valid ip6 addresses from the primary router's /56, but none of them gets a working (default-)route (and that only after switching ra and dhcp from server to hybrids in /etc/dhcp). Since I do not need ip6 for anything yet that is a low priority issue for me though (and nothing that would make abandon routing).

best regards
Sebastian
Bridging has never shown any perf issues in the past so I 'd like to switch back to this simpler setup. I can picture that this might not fit the bill for more intensive use cases.
So much for memory
mtd -r erase rootfs_data
is the correct invocation.
I suggest you read the cero wiki. This details the original design decisions. On the router,
ssh in, and use
mtd -r erase fs_data
to recover to defaults. See
http://wiki.openwrt.org/doc/techref/mtd
If you ever have used BB daily builds, you can type this in your sleep.
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1. The reason I stuck with eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt). So in cero I just reenabled the vlan and used a type "bridge" on the network section (I renamed this section se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the wireless config I specified network as "se99" instead of sw10 and sw00. I confirmed that the setup was correct in the web interface where eth0.1 sw00 and sw10 appeared under the new bridged interface ( there was the nice icon with the iface in brackets).
I went on to modify the dhcp config of se00 and changed se00 occurences for se99 and commented out entries for sw10/sw00. --> this would give me dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with interface se99. (I was expecting to see br-se99 but maybe that file is alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
I played a tad more and eventually lost wifi as well and had to reflash the router via tftp/factory image (maybe there is a reset trick you could give me to avoid this step).
Are you running cerowrt in bridge mode? If yes could you share your network/firewall/dhcp config? Is there another file I should have edited and missed?
Cheers,
V
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Sebastian Moeller
2014-02-24 13:29:23 UTC
Permalink
Hi Vincent,
Post by Sebastian Moeller
I could be totally out for lunch here, but shouldn't that be se00 (secure ethernet) instead of eth0.1? At least on 3.10.28-14 neuter "ifconfig" nor /etc/config/network mentions eth0.1 at all. Could you post both of these (so the result of calling ifconfig on a terminal on the router and the content of /etc/config/network ;), I am sure you know what I meant, just dying to be verbose for the sake of people stumbling over the archive of the mailing list)
Hi Sebastian,
Understood. I will come back to you with the ifconfig.
For info, I did try both se00 and eth0.1.
Ah, okay, so I was out for lunch then ;)
Post by Sebastian Moeller
The reason I stuck with eth0.1 was that barrier breaker usually uses eth0.1 for br-lan with vlan enabled (eth0.1 appears in Luci in cerowrt).
Why do you need vlan at all for bridging (honest question, I really do not know whether that is requirement in current openwrt or not)?
Post by Sebastian Moeller
So in cero I just reenabled the vlan and used a type "bridge" on the network section (I renamed this section se99 instead of se00).
I then added se99 it to the "lan" zone of the firewall. In the wireless config I specified network as "se99" instead of sw10 and sw00. I confirmed that the setup was correct in the web interface where eth0.1 sw00 and sw10 appeared under the new bridged interface ( there was the nice icon with the iface in brackets).
I went on to modify the dhcp config of se00 and changed se00 occurences for se99 and commented out entries for sw10/sw00. --> this would give me dhcp running on my new bridge.
After a dnsmasq restart dnsmasq.conf shows the dhcp ranges line with interface se99. (I was expecting to see br-se99 but maybe that file is alias aware, could be wrong here).
After a network restart I lost connectivity on cable. Wireless was working.
Did you confirm that both radios are bridged now?
Post by Sebastian Moeller
I played a tad more and eventually lost wifi as well and had to reflash the router via tftp/factory image (maybe there is a reset trick you could give me to avoid this step).
Caveat, I am a simple cerowrt user, so don't expect too much; I have found o alternative to the tftp method if the router can not be reached over any of the interfaces anymore.
Post by Sebastian Moeller
Are you running cerowrt in bridge mode?
No, I stick to the default routed mode. I fully bought not Dave's reasoning here and hope that we end up being able to make all essential services work over routing ;) (At home I have a smb-server on the wired segment and two notebooks that occasionally want to reach that server, running samba server on the router is sufficient for name resolution to work, mind you the notebooks are both macs so I have no idea whether that would work with windows clients...)
Post by Sebastian Moeller
If yes could you share your network/firewall/dhcp config? Is there another file I should have edited and missed?
Sorry, I have no idea.

Best Regards
Sebastian
Post by Sebastian Moeller
Cheers,
V
Dave Taht
2014-02-24 16:24:49 UTC
Permalink
On Sun, Feb 23, 2014 at 2:10 PM, J. Daniel Ashton
While you're looking at things that ought to be in the default configuration
(or in "a" default configuration, perhaps available on the wiki), there are
mDNS sharing across non-guest segments: my wife on Wi-Fi, I on Ethernet,
should be able to see each other's iTunes libraries and the mDNS-advertised
printer.
Google's new Chromecast device useable from all non-guest segments: it has
no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on Wi-Fi at 5Mhz, and
my desktop on Ethernet. Both tablet and desktop should be able to see the
Chromecast and control it.
I really like the CeroWrt approach to network segmentation: I felt like I
was learning best practices as I read up on what you chose to do. But the
above use cases seem to be problematic with this approach.
It was a fortuitous historical accident. We needed to be able to look
at 2.4ghz, 5ghz
and ethernet traffic separately, so we broke apart the bridging
everybody else does.

Just to be able to do tcpdumps and see what the heck was going on....

Solutions to a lot of problems fell out. Multicast became less of a
problem in particular,
we were able to see clearly a bunch of wireless g vs n behaviors,
wireless worked
better in general, we were able to debug different aspects of
different radios, etc.

and see the effects of double nat and of bridging multiple broadcast
domains together
even on a small scale in the home...

And (Sigh) the existing problems that bridging everything had worked
around became more acute and interesting.

We ended up giving some fresh love to routing protocols, coming up with
schemes to distribute and route ipv6 prefixes instead of bridging them,
and finding the most annoying "features" of others like mdns and ssdp and upnp.

In terms of fixing mdns, there is a new set of RFCs and work going on to make
it work better over routed networks. A whole ietf wg, actually. Some drafts:

http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-01
http://tools.ietf.org/html/draft-stenberg-homenet-dnssd-hybrid-proxy-zeroconf-00

(fixing mdns is certainly important in larger networks, the core
requests are coming
from colleges)

As for the chromecast I don't know how it presently announces its services,
but if it's mdns, the above stuff will fix it I hope. Eventually.

Some code for this now exists, but it's pretty raw...
Hi everyone,
After installing ceroWRT the first thing I did was to reconfigure the
firewall as shown attached. My router is used as home gateway and I wanted
to lock down the device a bit.
- LAN (s+) to/from GUEST (g+) is not allowed.
- GUEST to ROUTER is restricted to DNS/DHCP/NTP.
I note that even dns is a problem in terms of leaking information about
your network, so is mdns.
the "g+" convention can simplify access to the internet in the rules too.
There are also potential problems in enabling the polipo proxy.
Note that the mesh networking interfaces are also "g", and there is
something of a conflict between allowing the mesh network and guest
access.
I used to solve this somewhat with the babel authentication extensions.
http://tools.ietf.org/id/draft-ovsienko-babel-hmac-authentication-06.html
at the moment that code had landed in the quagga branch of babel,
not babel itself.
- I've tuned the basic IPV6 rules to take the above changes into account
and allow proto 41 INPUT for 6to/in4 tunnels.
- LAN to/from ROUTER everything is allowed.
This could be a nice default config.
Feedback welcome.
After getting the last release out I took a break from email, and didn't
get to this.
There are certainly conflicting desires for how to do firewalling. Historically
we run fairly open by default due to cerowrt's origin as a research project.
In the case where we want to open the network somewhat to house guests, being
able to have reasonably secure (ssh and printing) protocols open to them
is a help.
In the case where I want to share my network with the neighborhood,
locking things down as per the above makes more sense. I'd argue for even
stronger measures, actually, something that an org like openwireless.org
could recomend so that people can feel safe in sharing their wifi again.
I think we should put up alternet configs like this somewhere on the wiki,
or in a git tree...
I have a few other desirable configs on the list.
-1) gui support for the + syntax would be good.
0) I really, really, really want bcp38 support, using ipset. I wouldn't
mind a complete switch to ipset for a variety of things, but some
benchmarking along the way would be good to compare the existing schemes
one problem I've run into in turning on bcp38 by default is dealing
with double nat on the dhcp'd interfaces.
1) a more "normal", bridged implementation more like people are used to.
2) vlan support (I've never managed to make vlans work with babel, btw)
3) ?
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Daniel Ashton PGP key available http://Daniel.AshtonFam.org
AIM: FirstFiddl ICQ# 9445142 http://MDMusic.org
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
David Lang
2014-03-03 19:41:30 UTC
Permalink
Post by J. Daniel Ashton
it has no Ethernet port, so it is on Wi-Fi at 2Mhz, my table on
Wi-Fi at 5Mhz, and my desktop on Ethernet. Both tablet and desktop
should be able to see the Chromecast and control it.
There is a pretty basic problem with Chromecast in that the app to configure it
looks at what network the android device is on and tries to have the Chromecast
connect to that same network. If you have different SSIDs for 2.4 and 5GHz and
are connected to 5GHz the result is failure, even if the networks are bridged
together (let alone routed)

I'll have to go back and test again, but I think I still had problems even after
the initial configuration if I connected to it via the wrong network.

David Lang

Continue reading on narkive:
Loading...